Analysis
-
max time kernel
146s -
max time network
167s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
12-02-2022 11:19
Static task
static1
Behavioral task
behavioral1
Sample
04aad5cb6bcb36050d6d5b1c4cd4d6f796d1756151b4ed3e63f690af6fbf30bf.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
04aad5cb6bcb36050d6d5b1c4cd4d6f796d1756151b4ed3e63f690af6fbf30bf.exe
Resource
win10v2004-en-20220113
General
-
Target
04aad5cb6bcb36050d6d5b1c4cd4d6f796d1756151b4ed3e63f690af6fbf30bf.exe
-
Size
60KB
-
MD5
153c40aa205dd96c80e4fc1382e83801
-
SHA1
a43de24add9e7921c7f58886d7502e94481356ab
-
SHA256
04aad5cb6bcb36050d6d5b1c4cd4d6f796d1756151b4ed3e63f690af6fbf30bf
-
SHA512
450c60eca6beaa600e2d47351f14d9840499bc5813fe186a88d56d9561122c0586a891b19f88bc0c4e0192c8741a8837e10e19540440ff96e267a08316a2d2c3
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 4524 MediaCenter.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
04aad5cb6bcb36050d6d5b1c4cd4d6f796d1756151b4ed3e63f690af6fbf30bf.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation 04aad5cb6bcb36050d6d5b1c4cd4d6f796d1756151b4ed3e63f690af6fbf30bf.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
04aad5cb6bcb36050d6d5b1c4cd4d6f796d1756151b4ed3e63f690af6fbf30bf.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 04aad5cb6bcb36050d6d5b1c4cd4d6f796d1756151b4ed3e63f690af6fbf30bf.exe -
Drops file in Windows directory 8 IoCs
Processes:
svchost.exeTiWorker.exedescription ioc process File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm svchost.exe File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log svchost.exe File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe File opened for modification C:\Windows\WindowsUpdate.log svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
04aad5cb6bcb36050d6d5b1c4cd4d6f796d1756151b4ed3e63f690af6fbf30bf.exesvchost.exeTiWorker.exedescription pid process Token: SeIncBasePriorityPrivilege 3824 04aad5cb6bcb36050d6d5b1c4cd4d6f796d1756151b4ed3e63f690af6fbf30bf.exe Token: SeShutdownPrivilege 2768 svchost.exe Token: SeCreatePagefilePrivilege 2768 svchost.exe Token: SeShutdownPrivilege 2768 svchost.exe Token: SeCreatePagefilePrivilege 2768 svchost.exe Token: SeShutdownPrivilege 2768 svchost.exe Token: SeCreatePagefilePrivilege 2768 svchost.exe Token: SeSecurityPrivilege 4508 TiWorker.exe Token: SeRestorePrivilege 4508 TiWorker.exe Token: SeBackupPrivilege 4508 TiWorker.exe Token: SeBackupPrivilege 4508 TiWorker.exe Token: SeRestorePrivilege 4508 TiWorker.exe Token: SeSecurityPrivilege 4508 TiWorker.exe Token: SeBackupPrivilege 4508 TiWorker.exe Token: SeRestorePrivilege 4508 TiWorker.exe Token: SeSecurityPrivilege 4508 TiWorker.exe Token: SeBackupPrivilege 4508 TiWorker.exe Token: SeRestorePrivilege 4508 TiWorker.exe Token: SeSecurityPrivilege 4508 TiWorker.exe Token: SeBackupPrivilege 4508 TiWorker.exe Token: SeRestorePrivilege 4508 TiWorker.exe Token: SeSecurityPrivilege 4508 TiWorker.exe Token: SeBackupPrivilege 4508 TiWorker.exe Token: SeRestorePrivilege 4508 TiWorker.exe Token: SeSecurityPrivilege 4508 TiWorker.exe Token: SeBackupPrivilege 4508 TiWorker.exe Token: SeRestorePrivilege 4508 TiWorker.exe Token: SeSecurityPrivilege 4508 TiWorker.exe Token: SeBackupPrivilege 4508 TiWorker.exe Token: SeRestorePrivilege 4508 TiWorker.exe Token: SeSecurityPrivilege 4508 TiWorker.exe Token: SeBackupPrivilege 4508 TiWorker.exe Token: SeRestorePrivilege 4508 TiWorker.exe Token: SeSecurityPrivilege 4508 TiWorker.exe Token: SeBackupPrivilege 4508 TiWorker.exe Token: SeRestorePrivilege 4508 TiWorker.exe Token: SeSecurityPrivilege 4508 TiWorker.exe Token: SeBackupPrivilege 4508 TiWorker.exe Token: SeRestorePrivilege 4508 TiWorker.exe Token: SeSecurityPrivilege 4508 TiWorker.exe Token: SeBackupPrivilege 4508 TiWorker.exe Token: SeRestorePrivilege 4508 TiWorker.exe Token: SeSecurityPrivilege 4508 TiWorker.exe Token: SeBackupPrivilege 4508 TiWorker.exe Token: SeRestorePrivilege 4508 TiWorker.exe Token: SeSecurityPrivilege 4508 TiWorker.exe Token: SeBackupPrivilege 4508 TiWorker.exe Token: SeRestorePrivilege 4508 TiWorker.exe Token: SeSecurityPrivilege 4508 TiWorker.exe Token: SeBackupPrivilege 4508 TiWorker.exe Token: SeRestorePrivilege 4508 TiWorker.exe Token: SeSecurityPrivilege 4508 TiWorker.exe Token: SeBackupPrivilege 4508 TiWorker.exe Token: SeRestorePrivilege 4508 TiWorker.exe Token: SeSecurityPrivilege 4508 TiWorker.exe Token: SeBackupPrivilege 4508 TiWorker.exe Token: SeRestorePrivilege 4508 TiWorker.exe Token: SeSecurityPrivilege 4508 TiWorker.exe Token: SeBackupPrivilege 4508 TiWorker.exe Token: SeRestorePrivilege 4508 TiWorker.exe Token: SeSecurityPrivilege 4508 TiWorker.exe Token: SeBackupPrivilege 4508 TiWorker.exe Token: SeRestorePrivilege 4508 TiWorker.exe Token: SeSecurityPrivilege 4508 TiWorker.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
04aad5cb6bcb36050d6d5b1c4cd4d6f796d1756151b4ed3e63f690af6fbf30bf.execmd.exedescription pid process target process PID 3824 wrote to memory of 4524 3824 04aad5cb6bcb36050d6d5b1c4cd4d6f796d1756151b4ed3e63f690af6fbf30bf.exe MediaCenter.exe PID 3824 wrote to memory of 4524 3824 04aad5cb6bcb36050d6d5b1c4cd4d6f796d1756151b4ed3e63f690af6fbf30bf.exe MediaCenter.exe PID 3824 wrote to memory of 4524 3824 04aad5cb6bcb36050d6d5b1c4cd4d6f796d1756151b4ed3e63f690af6fbf30bf.exe MediaCenter.exe PID 3824 wrote to memory of 632 3824 04aad5cb6bcb36050d6d5b1c4cd4d6f796d1756151b4ed3e63f690af6fbf30bf.exe cmd.exe PID 3824 wrote to memory of 632 3824 04aad5cb6bcb36050d6d5b1c4cd4d6f796d1756151b4ed3e63f690af6fbf30bf.exe cmd.exe PID 3824 wrote to memory of 632 3824 04aad5cb6bcb36050d6d5b1c4cd4d6f796d1756151b4ed3e63f690af6fbf30bf.exe cmd.exe PID 632 wrote to memory of 2380 632 cmd.exe PING.EXE PID 632 wrote to memory of 2380 632 cmd.exe PING.EXE PID 632 wrote to memory of 2380 632 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\04aad5cb6bcb36050d6d5b1c4cd4d6f796d1756151b4ed3e63f690af6fbf30bf.exe"C:\Users\Admin\AppData\Local\Temp\04aad5cb6bcb36050d6d5b1c4cd4d6f796d1756151b4ed3e63f690af6fbf30bf.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3824 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:4524 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\04aad5cb6bcb36050d6d5b1c4cd4d6f796d1756151b4ed3e63f690af6fbf30bf.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:632 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:2380
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2768
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4508
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
d976193dfa2a1c137ecce9be4c04b669
SHA1f87437dc77ca4227d3c9246a09a906f2dfe8aa02
SHA256bdb84e593321abc02ec08bc2f9934c36a66213c8531d460bb2b3c59d49783c06
SHA512cd18ce19f6ae5d55b7f361dd2d8c76998529f7d58e6afaf413f3444b716811503b1f7b192d398d576f7c9b721aa3db1a791a28b130a28b0554f25eae709254f7
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
d976193dfa2a1c137ecce9be4c04b669
SHA1f87437dc77ca4227d3c9246a09a906f2dfe8aa02
SHA256bdb84e593321abc02ec08bc2f9934c36a66213c8531d460bb2b3c59d49783c06
SHA512cd18ce19f6ae5d55b7f361dd2d8c76998529f7d58e6afaf413f3444b716811503b1f7b192d398d576f7c9b721aa3db1a791a28b130a28b0554f25eae709254f7
-
memory/2768-132-0x000001B387560000-0x000001B387570000-memory.dmpFilesize
64KB
-
memory/2768-133-0x000001B387B20000-0x000001B387B30000-memory.dmpFilesize
64KB
-
memory/2768-134-0x000001B38A190000-0x000001B38A194000-memory.dmpFilesize
16KB